d4fe69faec08896254af42332050a6e0N

Sharing

Copy URL

Twitter E-mail

General

Target

d4fe69faec08896254af42332050a6e0N
Size

827KB
MD5

d4fe69faec08896254af42332050a6e0
SHA1

c4bde06112abfb37790ab71fb9ec1bf83691e707
SHA256

bd80b9259b14b09b028a85cfc72556fdb9a07f6dad918f3f44d1060e667c71e7
SHA512

94f8ea07cf1dda87cc1fa8ff160104a8630a2737128aafa0a0211c469ab5ac8da0b9d5ba9fb91cc42eec08132f5a147f52bf3063d8a73b6af1d7c7a3fffc6800
SSDEEP

24576:H9OWkexmP2OHq7lFzVaJ7OlRoZqL49yCH:H9D6qNWOlRCJ9r

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d4fe69faec08896254af42332050a6e0N

Files

d4fe69faec08896254af42332050a6e0N
.exe windows:5 windows x86 arch:x86

def23542706b4c1bf230bd9cb867c04e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

NtWaitForMultipleObjects
ZwLoadKey
RtlQueryDepthSList
RtlQueryInformationAcl
NtSetSystemEnvironmentValueEx
RtlSetProcessIsCritical
RtlDeNormalizeProcessParams
ZwAccessCheckByType
NtSetVolumeInformationFile
RtlApplyRXactNoFlush
ZwOpenJobObject
RtlDeleteTimerQueueEx
isupper
RtlInitAnsiString
RtlQueryInformationActiveActivationContext
ZwImpersonateAnonymousToken
ZwSetInformationToken
NtCreateProfile
DbgSetDebugFilterState
RtlFindSetBits
ZwCreateThread
RtlSetControlSecurityDescriptor
NtEnumerateValueKey
RtlDeactivateActivationContext
NtAccessCheck
NtSuspendProcess
RtlTryEnterCriticalSection
ZwAccessCheckByTypeAndAuditAlarm
NtCreateMailslotFile
ZwFreeUserPhysicalPages
RtlxOemStringToUnicodeSize
RtlValidSid
ZwDelayExecution
RtlValidateProcessHeaps
PfxInsertPrefix
_CIpow
RtlValidateHeap
NtSetTimer
RtlFindSetBitsAndClear
RtlExitUserThread
LdrGetDllHandle
NtQueryInstallUILanguage
NtQueryPortInformationProcess

kernel32

Process32NextW
Toolhelp32ReadProcessMemory
InterlockedFlushSList
GetProcessHeap
InitAtomTable
InterlockedDecrement
GetPrivateProfileSectionA
CreateFileA
LocalShrink
QueryPerformanceCounter
GlobalFindAtomA
GetOEMCP
VirtualUnlock
BackupSeek
SetFirmwareEnvironmentVariableA
LocalCompact
SetFileValidData
WriteConsoleA
GetFileAttributesW
GetFileSize
VirtualAlloc
VirtualFreeEx
QueueUserAPC
GetLongPathNameW
SetVDMCurrentDirectories
SetProcessWorkingSetSize
LoadLibraryA
SetConsoleOutputCP
VerLanguageNameW
QueryActCtxW
OpenSemaphoreA
SetUnhandledExceptionFilter
ReadConsoleInputExW
CreateTapePartition
GlobalAddAtomW
_llseek
FindFirstFileExW
SetComputerNameExA
BuildCommDCBAndTimeoutsW
UnregisterWait
SetClientTimeZoneInformation
FileTimeToDosDateTime
CreateDirectoryW
GetSystemTimeAsFileTime
SetVolumeMountPointA
GlobalGetAtomNameA
LZCreateFileW

setupapi

pSetupUnicodeToMultiByte
SetupDecompressOrCopyFileW
SetupQueryDrivesInDiskSpaceListA
CM_Get_Class_Name_ExW
CM_Get_Device_ID_ListW
CM_Disable_DevNode
pSetupGuidFromString
CM_Create_DevNodeW
CM_Get_DevNode_Status
SetupUninstallOEMInfA
CM_Get_Device_Interface_ListW
SetupDiGetDeviceInfoListDetailA
SetupScanFileQueue
pSetupOpenAndMapFileForRead
CM_Get_Parent_Ex
SetupDiEnumDeviceInfo
SetupDiLoadClassIcon
SetupQueryInfFileInformationA
SetupRemoveFromSourceListA
SetupFindNextLine
SetupDiClassGuidsFromNameW
SetupInstallFromInfSectionW
SetupQueueDeleteSectionW
CM_Set_DevNode_Problem_Ex
CM_Set_Class_Registry_PropertyA
CM_Get_Device_ID_ListA
SetupGetSourceFileSizeW
SetupUninstallOEMInfW
CM_Get_Parent
pSetupCenterWindowRelativeToParent
SetupDiGetClassInstallParamsA
SetupDiGetDeviceRegistryPropertyA
SetupDiUnremoveDevice
SetupSetPlatformPathOverrideA
MyFree
CM_Request_Device_Eject_ExA
SetupDiInstallClassW
SetupDiInstallDriverFiles

query

?SetLPSTR@CStorageVariant@@QAEXPBDI@Z
?ReadProperty@CPropStoreManager@@QAEHKKAAUtagPROPVARIANT@@PAEPAI@Z
?Find@CStaticPropertyList@@UAEPBVCPropEntry@@PBG@Z
?EndTransaction@CPropStoreManager@@QAEXKHKK@Z
??1CPhysStorage@@UAE@XZ
?CIShutdown@@YGXXZ
??0CFwAsyncWorkItem@@QAE@AAVCWorkManager@@AAVCWorkQueue@@@Z
_AbortMerges@16
?wcsipattern@@YGPAGPAGPBG@Z
DoneCIISAPIPerformanceData
CiSvcMain
?ContainsDrive@CDriveInfo@@SGHPBG@Z
BeginCacheTransaction
?DisableNotification@CRegNotify@@QAEXXZ
??1CSort@@QAE@XZ
?SetR8@CStorageVariant@@QAEXNI@Z
?Rewind@CMmStreamConsecBuf@@QAEXXZ
?Add@CDbColumns@@QAEHABVCDbColId@@I@Z
?IsCatalogInactive@CCatalogAdmin@@QAEHXZ
?GetDWORDParam@CMachineAdmin@@QAEHPBGAAK@Z
?ResetType@CAllocStorageVariant@@IAEXAAVPMemoryAllocator@@@Z
?BeginTransaction@CPropStoreManager@@QAEKXZ
?Add@CKeyArray@@QAEHHABVCKey@@@Z
?AbortWorkItems@CWorkManager@@QAEXXZ
?SetCD@CCatState@@QAEXPBG@Z
?AcqLine@CQueryScanner@@QAEPAGH@Z
?LokNewWorkId@CPropertyStore@@AAEKKHH@Z
?IsCIStarted@CMachineAdmin@@QAEHXZ
??0CColumns@@QAE@I@Z
??0CLocalGlobalPropertyList@@QAE@K@Z
?GetVolumeName@CDriveInfo@@QAEPBGH@Z
?EnumVServers@CMetaDataMgr@@QAEXAAVCMetaDataVirtualServerCallBack@@@Z
?GetBrowserCodepage@@YGKAAVCWebServer@@K@Z
??1CSynRestriction@@QAE@XZ
??1CDbSortSet@@QAE@XZ
?GetWChar@CMemDeSerStream@@UAEXPAGK@Z
?SetLogonInfo@CScopeAdmin@@QAEXPBG0AAVCCatalogAdmin@@@Z
??0CPerfMon@@QAE@PBG@Z
??1CPropertyStoreWids@@QAE@XZ
?GetCLSID@CAllocStorageVariant@@QBE?AU_GUID@@I@Z
?SkipChar@CMemDeSerStream@@UAEXK@Z
??1CNatLanguageRestriction@@QAE@XZ
??0CRcovStrmTrans@@IAE@AAVPRcovStorageObj@@W4RcovOpType@@@Z
?GetLocation@CCatalogAdmin@@QAEPBGXZ

crypt32

CertAddSerializedElementToStore
CryptEnumOIDInfo
CryptSIPAddProvider
CryptMsgUpdate
CryptStringToBinaryA
CryptSetOIDFunctionValue
CryptSIPPutSignedDataMsg
CryptExportPKCS8
I_CryptAddRefLruEntry
CertComparePublicKeyInfo
CertGetCertificateChain
CertCompareCertificate
CertDeleteCTLFromStore
CryptCreateKeyIdentifierFromCSP
CryptMsgEncodeAndSignCTL
I_CertUpdateStore
CryptMemAlloc
CryptHashPublicKeyInfo
I_CryptEnableLruOfEntries
RegQueryInfoKeyU
CertEnumCertificatesInStore
CryptMsgClose
CertGetIntendedKeyUsage
CryptSIPRetrieveSubjectGuidForCatalogFile
I_CryptGetAsn1Encoder
CryptMsgOpenToDecode
CertRegisterPhysicalStore
CryptFormatObject
CertSerializeCTLStoreElement
CryptSIPGetSignedDataMsg
CryptRegisterDefaultOIDFunction
CryptVerifyMessageHash
CryptEnumOIDFunction
RegEnumValueU
CryptMsgCountersignEncoded
CertFindCRLInStore

advapi32

GetExplicitEntriesFromAclW
LsaICLookupNamesWithCreds
SystemFunction026
EnumServiceGroupW
CryptDuplicateHash
SystemFunction011
LsaGetUserName
CredUnmarshalCredentialW
SetUserFileEncryptionKey
ControlTraceA
LsaDeleteTrustedDomain
OpenBackupEventLogA
StartTraceW
MD4Init
QueryUsersOnEncryptedFile
TraceMessageVa
EnableTrace
SystemFunction034
ElfOldestRecord
RegQueryValueExA
OpenSCManagerA
ElfOpenBackupEventLogA
CryptHashData
SetAclInformation
GetNumberOfEventLogRecords
QueryServiceConfigW
ElfRegisterEventSourceA
LookupAccountNameA
LockServiceDatabase
GetAccessPermissionsForObjectW
BuildImpersonateExplicitAccessWithNameW
A_SHAInit
GetAccessPermissionsForObjectA
ConvertSecurityDescriptorToAccessNamedA
StopTraceW
FreeEncryptedFileKeyInfo
LsaQueryTrustedDomainInfo
RegCreateKeyExA
RegUnLoadKeyA
SystemFunction031

msvcp60

?setiosflags@std@@YA?AU?$_Smanip@H@1@H@Z
??0locale@std@@QAE@ABV01@0H@Z
?quiet_NaN@?$numeric_limits@J@std@@SAJXZ
??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAF@Z
??1?$money_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@UAE@XZ
?pow@std@@YA?AV?$complex@N@1@ABV21@0@Z
?_Getname@_Locinfo@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?curr_symbol@?$_Mpunct@G@std@@QBE?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@2@XZ
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEGXZ
?_Init@?$numpunct@D@std@@IAEXABV_Locinfo@2@@Z
?do_close@?$messages@D@std@@MBEXH@Z
?_Doraise@out_of_range@std@@MBEXXZ
??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@
??Dstd@@YA?AV?$complex@M@0@ABV10@0@Z
??_8?$basic_fstream@DU?$char_traits@D@std@@@std@@7B?$basic_ostream@DU?$char_traits@D@std@@@1@@
?find_first_not_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z
_FExp
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@W4_Uninitialized@1@@Z
??4bad_exception@std@@QAEAAV01@ABV01@@Z
??4?$_Complex_base@N@std@@QAEAAV01@ABV01@@Z
?copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPADII@Z
??0?$ctype@D@std@@QAE@PBF_NI@Z
?sync@?$basic_istream@GU?$char_traits@G@std@@@std@@QAEHXZ
?_Sinh@?$_Ctr@N@std@@SANNN@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
??_8?$basic_ostream@DU?$char_traits@D@std@@@std@@7B@

Sections

.text
Size: 93KB - Virtual size: 92KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 128KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 596KB - Virtual size: 2.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 364B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

def23542706b4c1bf230bd9cb867c04e

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

setupapi

query

crypt32

advapi32

msvcp60

Sections

.text Size: 93KB - Virtual size: 92KB

.rdata Size: 128KB - Virtual size: 128KB

.data Size: 596KB - Virtual size: 2.0MB

.rsrc Size: 7KB - Virtual size: 7KB

.reloc Size: 512B - Virtual size: 364B

.text
Size: 93KB - Virtual size: 92KB

.rdata
Size: 128KB - Virtual size: 128KB

.data
Size: 596KB - Virtual size: 2.0MB

.rsrc
Size: 7KB - Virtual size: 7KB

.reloc
Size: 512B - Virtual size: 364B